reverting change since it triggers too many false positives

author: Julien "shaddai" Reveret 2015-10-19 11:25:57 +0200
committer: Mathieu Deous 2015-10-29 14:55:04 +0100
commit: 585e7426a60e9ce99523e2c2eff61a72e84faa2b (patch)
tree: 73565a373ec2d952707a3b135ac9665be073d7cd
parent: 1f0f0b96241a40d59db5c949833be8e6e9bb748d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index c5af397..7610d18 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -104,7 +104,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
author	Julien "shaddai" Reveret	2015-10-19 11:25:57 +0200
committer	Mathieu Deous	2015-10-29 14:55:04 +0100
commit	585e7426a60e9ce99523e2c2eff61a72e84faa2b (patch)
tree	73565a373ec2d952707a3b135ac9665be073d7cd
parent	1f0f0b96241a40d59db5c949833be8e6e9bb748d (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index c5af397..7610d18 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -104,7 +104,7 @@ rule DodgyPhp
104	{	104	{
105	strings:	105	strings:
106	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	106	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
107	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)?\s\(\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/	107	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
108	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	108	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
109	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	109	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
110	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	110	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/